[PATCH] Improve krb5 KDC tests, kdc behaviour

Fri Jan 30 12:52:50 MST 2015

On Saturday 31 January 2015 08:41:12 Andrew Bartlett wrote:
> On Fri, 2015-01-30 at 20:33 +0100, Andreas Schneider wrote:
> > On Saturday 31 January 2015 07:54:33 Andrew Bartlett wrote:
> > > On Fri, 2015-01-30 at 17:45 +0100, Andreas Schneider wrote:
> > > > On Friday 30 January 2015 17:44:12 Andrew Bartlett wrote:
> > > > > Metze,
> > > > > 
> > > > > Attached is some improvements to our KDC test script, and a fix for
> > > > > our
> > > > > KDC.
> > > > 
> > > > Andrew,
> > > > 
> > > > Please change
> > > > 
> > > > -	if (principal->name.name_string.len >= 2) {
> > > > +	if (principal->name.name_type == KRB5_NT_PRINCIPAL
> > > > +	    && principal->name.name_string.len >= 2) {
> > > > 
> > > > to
> > > > 
> > > > if (smb_krb5_principal_get_type(context, principal) ==
> > > > KRB5_NT_PRINCIPAL
> > > > 
> > > >     && krb5_princ_size(context, principal) >= 2) {
> > > 
> > > Thanks,
> > > 
> > > I'll do that on Monday.  I do realise this patch set is both a blessing
> > > 
> > > and a curse (to use an expression) for your efforts, because:
> > >  - it is the first time we have had a serious test suite for KDC
> > > 
> > > behaviour,
> > > 
> > >  - it imposes some quite strict behaviour expectations on both the krb5
> > > 
> > > libs and the KDC and
> > > 
> > >  - but it uses Heimdal-specific code (like the ASN.1 parser) and
> > > 
> > > functions that could be implemented in MIT (but are not) like the
> > > send_to_kdc hooks to get there.
> > > 
> > > Asking to use the helper functions where available is quite reasonable,
> > > and I'll do that.
> > 
> > It makes it easier to rebase out MIT patchset which has quite some patchs
> > 
> > asn at magrathea:~/workspace/projects/samba/git> git w
> > ## master-mit-kdc...origin/master [ahead 116]
> 
> Indeed!
> 
> > > All that said, it has been a very worthwhile effort, because we have
> > > found some very interesting and subtle bugs along the way.
> > > 
> > > My updated krb5-upn2 branch shows how we can test the canonicalize flag
> > > for the TGS-REQ, shows that we need to fix our tests in that area, and
> > > points to a direction for testing S4U2Self and S4U2Proxy behaviour,
> > > which I think will become an even more important area in the future.
> > 
> > We probably need the same for MIT Kerberos but currently we still don't
> > understand some things.
> > 
> > The current bug I'm trying to hunt down is that Kerberos auth works just
> > fine as a user, but not with the machine account ...
> > 
> > kinit works but then gss_init_sec_context() in gensec_gssapi_update()
> > fails
> > with:
> > 
> > Matching credential not found
> 
> You will see I had exactly that error in my tests - in Heimdal, the
> krb5_mk_req_exact() code handles having the wrong case/name of the
> target realm, but krb5_get_creds() does not in these combinations:
> 
> test_data->canonicalize == false && test_data->enterprise == false
> && (test_data->upper_realm == false || test_data->netbios_realm == true)
> 
> Perhaps you have some issues in the server-side canonicalisation code in
> your KDC, that is different between machine and user accounts?
> 
> My guess is that it is looking for a TGT with the realm, but it is
> stored in another case.

This is what I have guessed, but gd didn't believe it is the issue. The TGT is 
requested for LOCALADMEMBER$@SAMBA.EXAMPLE.COM and we get a TGT for 
localadmember$@SAMBA.EXAMPLE.COM ...

https://www.cloudshark.org/captures/fa35bc16bbb0

frame 1375 is the request in UPPER case
frame 1380 is the response in LOWER case

	-- andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org